Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/13/2018
10:30 AM
Kevin Kurzawa
Kevin Kurzawa
Commentary
100%
0%

RIP, 'IT Security'

Information security is vital, of course. But the concept of "IT security" has never made sense.

Information security is vital, of course, and I'm not proposing its elimination. But it's time to kill off the whole concept of IT security because it never made sense in the first place.

Without doubt, information security is an essential function for any organization that values its data and/or reputation. However, the term "IT security" leads to confusion about what the security roles are, where the responsibilities start and end, and how competing objectives between departments are prioritized. This is especially important because information security has priorities opposed to those of the IT department.

Defining Terms
There are two possible meanings for "IT security." One focuses on the types of controls under its scope, applying only to technical safeguards and putting aside the administrative and physical ones. The alternative definition specifies the department that security is concerned with — IT, that is — and ignores information maintained by other departments.

Just as there is no marketing-specific security or HR-specific security, an IT-specific security focus makes little logical sense. Placing information security within another department leads to a narrower and short-sighted implementation of information security for the whole organization. 

Where IT Security Fails
When primary security expertise is located under the IT department, the perspective is restricted to the realm of the IT department and veers from information security's traditional holistic, organizational oversight. These two departments have different concerns, risks, and priorities. Some of the IT priorities are adaptability, technical features, and efficiency; infosec priorities include confidentiality, integrity, and availability. Some overlap occasionally will exist, but it is not significant enough to overcome the glaring differences and frequent conflicts between the two. 

An objective for one department introduces risks for the other. One example is the vulnerability scanning of network devices. Scans may cause additional scheduling headaches for IT, misbehaving devices, and user complaints about the efficiency of the systems. The consequence of a seemingly innocuous scan is that IT must temporarily put aside its priorities in order to react to these complications. So, obviously, vulnerability scanning is not on the IT wish list.

These frustrations work in both directions. New features that IT implements introduce more vulnerabilities, more systems to secure, and more risks. Information security staffers have additional headaches for every new system introduced to the environment. Therefore, a separation with distinct executive authorities should be maintained to serve as a check and balance to each other in the same way that a finance department exists to create a budget and prevent one department from spending all of the company's profits.

CIOs Are Not CISOs
I have the utmost respect for CIOs and the responsibilities that are endlessly heaped upon them. However, one responsibility that they should not be tasked with is information security. Infosec has its own skill set and mindset, which are different from those in IT because of how people in that role have been trained and conditioned. The difference in ability causes a difference in position; CIOs are specialists in IT, and CISOs are specialists in information security.

It's human nature for us to have a bias toward the things we know best. If security is under IT — as is the case with IT security — this bias will relegate the security objectives to secondary priorities, with IT goals taking precedence. Or, as sometimes happens, security objectives become merely an afterthought to IT's priorities. 

Infosec Done by IT
It's true that many organizations aren't large enough to justify an entire department for information security — especially when that group may be only one or two individuals, or not have a specialist. Usually in these situations, the responsibility for security controls are incorporated into the roles for whichever IT staff member is working on a function that overlaps both IT and infosec. This maintains the IT department as both the implementor and verifier of its own work, a significant conflict of interest. 

A Match Made in Heaven
Most every organization that has begun to implement security controls also already has either a risk management or internal audit department. Either of these departments is a better fit for an emerging information security group. A significant aspect of infosec is the verification of controls, and the independence from the operational duties of that which is being evaluated is key. This leaves the IT department as the implementors of the technical security controls, just as they were. However, now the governance of deciding which controls to implement and the verification of their effectiveness reside with an impartial entity outside of IT.

Give Infosec Some Respect
Information security deserves an equal footing just like any other foundational department, such as accounting, marketing, or IT. Conflicts between the different priorities should be settled by senior executives from multiple disciplines looking holistically at the costs and benefits instead of the inherently IT-focused CIO handling this intradepartmentally.

Make the Move
If you have an IT security group or security-focused staff that takes direction and reports to the head of IT (i.e., the CIO, VP of IT, etc.), then take the opportunity to properly segregate duties and the conflicting interests from one another. Move the processes for verifying technical, administrative, and physical information security controls to a separate department than the one implementing them.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kevin Kurzawa has a background in a variety of environments, with each having its own unique business drivers. His experiences in IT and information security have ranged from Department of Defense contractors large and small (including Lockheed and Harris) to traditional ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hucklesinthedark
100%
0%
hucklesinthedark,
User Rank: Author
11/19/2018 | 6:11:20 PM
Cybersecurity
I've always treated cybersecurity as a part of IT security, and you know how I feel about IT security now. I combine them because of the word cyber. Which means the internet, or all things digital. Hence, it's very limiting and most definitely wouldn't guard against the lost briefcase.

I assume cybersecurity is so frequently used because it has a cool rating of +8. There aren't many other words that can make you sound like a ninja quite like cyber can.
eatondave
0%
100%
eatondave,
User Rank: Strategist
11/19/2018 | 9:30:05 AM
and whilst we're at it let's kill "cyber security" as well
Am I the only one who has never really gotten the whole 'cyber security' thing? To my knowledge no-one has ever been able to come up with a definition that is universally accepted and every definition I've seen either misses out whole chunks of information security or tries to shoehorn them in, and ends up looking ridiculous. 

Whenever someone tries to explain to me that 'cyber security' covers everything I just ask them which 'cyber bucket' they place the risk of the CEO leaving his briefcase containing hardcopies of the latest M&A deal he's working on in the Uber cab.

Sure there are info sec risks in cyber land, just as there are info sec risks in the physical world, and info sec risks in the neural world as well. By sprinkling the term 'cyber' around like confetti at a wedding, we risk making that part of the risk spectrum which actualy causes the greatest number of incidents, namely the bioware; layer 8; users; people or as someone said to me recently - the 1D10T segment, think that it does not apply to them or that technology will fix everything.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...